02a1abbf1dca88e417498d9c2bd86ef3ead5a71bcee676356e7731371ef73338

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

391da1dc7cd8ccd8438d258fb58eadeb.exe
Size

439KB
MD5

391da1dc7cd8ccd8438d258fb58eadeb
SHA1

16e51750473c116bfa3f1e7f0e345a0d3aae5720
SHA256

02a1abbf1dca88e417498d9c2bd86ef3ead5a71bcee676356e7731371ef73338
SHA512

47d265bf41adca8feb173a43c49bc5bda1c72c277bce2d52f10b7dcaf61f70baf0e22fb613ed4367fa5eca033be992e17a0e1ffff57ae6e81ba85088c4fe2cad
SSDEEP

6144:HrnkP+6bB0H9rj3fMobS1bSKPbSX2heDObS08bSAheDpbSk7HV/B+ybS0ya2heDD:HQ+Qu9piLzwoJZeDuD7ZlyVl5Zk7hck

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Drops file in Drivers directory 58 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	391da1dc7cd8ccd8438d258fb58eadeb.exe

Sets service image path in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Modifies system executable filetype association 2 TTPs 28 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\I:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\N:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\W:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\K:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\U:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\O:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\U:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\V:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\J:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\T:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\U:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\W:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\S:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\U:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\R:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\G:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\M:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\L:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\I:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\X:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\N:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\G:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\S:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\E:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\Q:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\X:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\K:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\W:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\I:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\Q:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\W:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\K:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\S:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\W:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\P:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\V:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\M:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\J:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\S:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\T:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\K:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\X:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\J:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\X:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\H:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\M:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\G:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\R:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\V:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\O:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\O:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\T:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\X:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\X:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\E:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\U:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\W:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\L:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\L:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\O:	391da1dc7cd8ccd8438d258fb58eadeb.exe
File opened (read-only)	\??\L:	391da1dc7cd8ccd8438d258fb58eadeb.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	391da1dc7cd8ccd8438d258fb58eadeb.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
60	391da1dc7cd8ccd8438d258fb58eadeb.exe
60	391da1dc7cd8ccd8438d258fb58eadeb.exe
5060	391da1dc7cd8ccd8438d258fb58eadeb.exe
5060	391da1dc7cd8ccd8438d258fb58eadeb.exe
4060	391da1dc7cd8ccd8438d258fb58eadeb.exe
4060	391da1dc7cd8ccd8438d258fb58eadeb.exe
3188	391da1dc7cd8ccd8438d258fb58eadeb.exe
3188	391da1dc7cd8ccd8438d258fb58eadeb.exe
3000	391da1dc7cd8ccd8438d258fb58eadeb.exe
3000	391da1dc7cd8ccd8438d258fb58eadeb.exe
1496	391da1dc7cd8ccd8438d258fb58eadeb.exe
1496	391da1dc7cd8ccd8438d258fb58eadeb.exe
5096	391da1dc7cd8ccd8438d258fb58eadeb.exe
5096	391da1dc7cd8ccd8438d258fb58eadeb.exe
2308	391da1dc7cd8ccd8438d258fb58eadeb.exe
2308	391da1dc7cd8ccd8438d258fb58eadeb.exe
1204	391da1dc7cd8ccd8438d258fb58eadeb.exe
1204	391da1dc7cd8ccd8438d258fb58eadeb.exe
4656	391da1dc7cd8ccd8438d258fb58eadeb.exe
4656	391da1dc7cd8ccd8438d258fb58eadeb.exe
4424	391da1dc7cd8ccd8438d258fb58eadeb.exe
4424	391da1dc7cd8ccd8438d258fb58eadeb.exe
4536	391da1dc7cd8ccd8438d258fb58eadeb.exe
4536	391da1dc7cd8ccd8438d258fb58eadeb.exe
2932	391da1dc7cd8ccd8438d258fb58eadeb.exe
2932	391da1dc7cd8ccd8438d258fb58eadeb.exe
4648	391da1dc7cd8ccd8438d258fb58eadeb.exe
4648	391da1dc7cd8ccd8438d258fb58eadeb.exe
3256	391da1dc7cd8ccd8438d258fb58eadeb.exe
3256	391da1dc7cd8ccd8438d258fb58eadeb.exe
2056	391da1dc7cd8ccd8438d258fb58eadeb.exe
2056	391da1dc7cd8ccd8438d258fb58eadeb.exe
896	391da1dc7cd8ccd8438d258fb58eadeb.exe
896	391da1dc7cd8ccd8438d258fb58eadeb.exe
4452	391da1dc7cd8ccd8438d258fb58eadeb.exe
4452	391da1dc7cd8ccd8438d258fb58eadeb.exe
2760	391da1dc7cd8ccd8438d258fb58eadeb.exe
2760	391da1dc7cd8ccd8438d258fb58eadeb.exe
3528	391da1dc7cd8ccd8438d258fb58eadeb.exe
3528	391da1dc7cd8ccd8438d258fb58eadeb.exe
4812	391da1dc7cd8ccd8438d258fb58eadeb.exe
4812	391da1dc7cd8ccd8438d258fb58eadeb.exe
5056	391da1dc7cd8ccd8438d258fb58eadeb.exe
5056	391da1dc7cd8ccd8438d258fb58eadeb.exe
3120	391da1dc7cd8ccd8438d258fb58eadeb.exe
3120	391da1dc7cd8ccd8438d258fb58eadeb.exe
4196	391da1dc7cd8ccd8438d258fb58eadeb.exe
4196	391da1dc7cd8ccd8438d258fb58eadeb.exe
2404	391da1dc7cd8ccd8438d258fb58eadeb.exe
2404	391da1dc7cd8ccd8438d258fb58eadeb.exe
4056	391da1dc7cd8ccd8438d258fb58eadeb.exe
4056	391da1dc7cd8ccd8438d258fb58eadeb.exe
1624	391da1dc7cd8ccd8438d258fb58eadeb.exe
1624	391da1dc7cd8ccd8438d258fb58eadeb.exe
220	391da1dc7cd8ccd8438d258fb58eadeb.exe
220	391da1dc7cd8ccd8438d258fb58eadeb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 3896	60	391da1dc7cd8ccd8438d258fb58eadeb.exe	87
PID 60 wrote to memory of 3896	60	391da1dc7cd8ccd8438d258fb58eadeb.exe	87
PID 60 wrote to memory of 3896	60	391da1dc7cd8ccd8438d258fb58eadeb.exe	87
PID 60 wrote to memory of 5060	60	391da1dc7cd8ccd8438d258fb58eadeb.exe	90
PID 60 wrote to memory of 5060	60	391da1dc7cd8ccd8438d258fb58eadeb.exe	90
PID 60 wrote to memory of 5060	60	391da1dc7cd8ccd8438d258fb58eadeb.exe	90
PID 5060 wrote to memory of 4060	5060	391da1dc7cd8ccd8438d258fb58eadeb.exe	95
PID 5060 wrote to memory of 4060	5060	391da1dc7cd8ccd8438d258fb58eadeb.exe	95
PID 5060 wrote to memory of 4060	5060	391da1dc7cd8ccd8438d258fb58eadeb.exe	95
PID 4060 wrote to memory of 3188	4060	391da1dc7cd8ccd8438d258fb58eadeb.exe	99
PID 4060 wrote to memory of 3188	4060	391da1dc7cd8ccd8438d258fb58eadeb.exe	99
PID 4060 wrote to memory of 3188	4060	391da1dc7cd8ccd8438d258fb58eadeb.exe	99
PID 3188 wrote to memory of 3000	3188	391da1dc7cd8ccd8438d258fb58eadeb.exe	100
PID 3188 wrote to memory of 3000	3188	391da1dc7cd8ccd8438d258fb58eadeb.exe	100
PID 3188 wrote to memory of 3000	3188	391da1dc7cd8ccd8438d258fb58eadeb.exe	100
PID 3000 wrote to memory of 1496	3000	391da1dc7cd8ccd8438d258fb58eadeb.exe	101
PID 3000 wrote to memory of 1496	3000	391da1dc7cd8ccd8438d258fb58eadeb.exe	101
PID 3000 wrote to memory of 1496	3000	391da1dc7cd8ccd8438d258fb58eadeb.exe	101
PID 1496 wrote to memory of 5096	1496	391da1dc7cd8ccd8438d258fb58eadeb.exe	102
PID 1496 wrote to memory of 5096	1496	391da1dc7cd8ccd8438d258fb58eadeb.exe	102
PID 1496 wrote to memory of 5096	1496	391da1dc7cd8ccd8438d258fb58eadeb.exe	102
PID 5096 wrote to memory of 2308	5096	391da1dc7cd8ccd8438d258fb58eadeb.exe	104
PID 5096 wrote to memory of 2308	5096	391da1dc7cd8ccd8438d258fb58eadeb.exe	104
PID 5096 wrote to memory of 2308	5096	391da1dc7cd8ccd8438d258fb58eadeb.exe	104
PID 2308 wrote to memory of 1204	2308	391da1dc7cd8ccd8438d258fb58eadeb.exe	105
PID 2308 wrote to memory of 1204	2308	391da1dc7cd8ccd8438d258fb58eadeb.exe	105
PID 2308 wrote to memory of 1204	2308	391da1dc7cd8ccd8438d258fb58eadeb.exe	105
PID 1204 wrote to memory of 4656	1204	391da1dc7cd8ccd8438d258fb58eadeb.exe	106
PID 1204 wrote to memory of 4656	1204	391da1dc7cd8ccd8438d258fb58eadeb.exe	106
PID 1204 wrote to memory of 4656	1204	391da1dc7cd8ccd8438d258fb58eadeb.exe	106
PID 4656 wrote to memory of 4424	4656	391da1dc7cd8ccd8438d258fb58eadeb.exe	107
PID 4656 wrote to memory of 4424	4656	391da1dc7cd8ccd8438d258fb58eadeb.exe	107
PID 4656 wrote to memory of 4424	4656	391da1dc7cd8ccd8438d258fb58eadeb.exe	107
PID 4424 wrote to memory of 4536	4424	391da1dc7cd8ccd8438d258fb58eadeb.exe	108
PID 4424 wrote to memory of 4536	4424	391da1dc7cd8ccd8438d258fb58eadeb.exe	108
PID 4424 wrote to memory of 4536	4424	391da1dc7cd8ccd8438d258fb58eadeb.exe	108
PID 4536 wrote to memory of 2932	4536	391da1dc7cd8ccd8438d258fb58eadeb.exe	109
PID 4536 wrote to memory of 2932	4536	391da1dc7cd8ccd8438d258fb58eadeb.exe	109
PID 4536 wrote to memory of 2932	4536	391da1dc7cd8ccd8438d258fb58eadeb.exe	109
PID 2932 wrote to memory of 4648	2932	391da1dc7cd8ccd8438d258fb58eadeb.exe	110
PID 2932 wrote to memory of 4648	2932	391da1dc7cd8ccd8438d258fb58eadeb.exe	110
PID 2932 wrote to memory of 4648	2932	391da1dc7cd8ccd8438d258fb58eadeb.exe	110
PID 4648 wrote to memory of 3256	4648	391da1dc7cd8ccd8438d258fb58eadeb.exe	111
PID 4648 wrote to memory of 3256	4648	391da1dc7cd8ccd8438d258fb58eadeb.exe	111
PID 4648 wrote to memory of 3256	4648	391da1dc7cd8ccd8438d258fb58eadeb.exe	111
PID 3256 wrote to memory of 2056	3256	391da1dc7cd8ccd8438d258fb58eadeb.exe	112
PID 3256 wrote to memory of 2056	3256	391da1dc7cd8ccd8438d258fb58eadeb.exe	112
PID 3256 wrote to memory of 2056	3256	391da1dc7cd8ccd8438d258fb58eadeb.exe	112
PID 2056 wrote to memory of 896	2056	391da1dc7cd8ccd8438d258fb58eadeb.exe	113
PID 2056 wrote to memory of 896	2056	391da1dc7cd8ccd8438d258fb58eadeb.exe	113
PID 2056 wrote to memory of 896	2056	391da1dc7cd8ccd8438d258fb58eadeb.exe	113
PID 896 wrote to memory of 4452	896	391da1dc7cd8ccd8438d258fb58eadeb.exe	114
PID 896 wrote to memory of 4452	896	391da1dc7cd8ccd8438d258fb58eadeb.exe	114
PID 896 wrote to memory of 4452	896	391da1dc7cd8ccd8438d258fb58eadeb.exe	114
PID 4452 wrote to memory of 2760	4452	391da1dc7cd8ccd8438d258fb58eadeb.exe	115
PID 4452 wrote to memory of 2760	4452	391da1dc7cd8ccd8438d258fb58eadeb.exe	115
PID 4452 wrote to memory of 2760	4452	391da1dc7cd8ccd8438d258fb58eadeb.exe	115
PID 2760 wrote to memory of 3528	2760	391da1dc7cd8ccd8438d258fb58eadeb.exe	116
PID 2760 wrote to memory of 3528	2760	391da1dc7cd8ccd8438d258fb58eadeb.exe	116
PID 2760 wrote to memory of 3528	2760	391da1dc7cd8ccd8438d258fb58eadeb.exe	116
PID 3528 wrote to memory of 4812	3528	391da1dc7cd8ccd8438d258fb58eadeb.exe	117
PID 3528 wrote to memory of 4812	3528	391da1dc7cd8ccd8438d258fb58eadeb.exe	117
PID 3528 wrote to memory of 4812	3528	391da1dc7cd8ccd8438d258fb58eadeb.exe	117
PID 4812 wrote to memory of 5056	4812	391da1dc7cd8ccd8438d258fb58eadeb.exe	118

C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
"C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
  C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
    C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
      C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
      4⤵
      Drops file in Drivers directory
      Sets service image path in registry
      Modifies system executable filetype association
      Adds Run key to start application
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        6⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        8⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        9⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        11⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        12⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        13⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        14⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        15⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        16⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        17⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        18⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        19⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        20⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        21⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        22⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        23⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        24⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        25⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        26⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        27⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        28⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        
        C:\Users\Admin\AppData\Local\Temp\391da1dc7cd8ccd8438d258fb58eadeb.exe
        29⤵
        Drops file in Drivers directory
        
        PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
444KB

MD5
e17f69a2a182c487a828dd63ae6e5b9f

SHA1
29db38c15aedbccb4afb2573b54e045629d624f2

SHA256
269147edaf8466bfa5e4fa20bf1c34d11468907fbbb52e32a8d7bec096c5df22

SHA512
e8b6dd35cc4d6864cac6250cb53b6a36d8975bf135f050b75ba2f81490392a7de2f1df38111b7961ef67777a3a90af3b68370501f2ad2d26b8cef47e442a388b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
444KB

MD5
ccf71c548ec29aa43a110f5c822ff0cd

SHA1
59a49d3f133b48a223b4af7c01807237aaa17eeb

SHA256
d3b2da45f99235eff5d8147e54fb116b583cdd64a526b41f612ef359b1e05420

SHA512
291655441991eb9832aa61a964aac2909ba5d451df6f4b14e66d335be2f4b09fdbbd114f8b310acd8d93f5c76aa1520873790acebcc37a5c076c307a0ef93ee2

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
444KB

MD5
546cbedde39171c644d2e1f1bab665a3

SHA1
a242930c7f53815b455b40d06fdeefe7e9488a76

SHA256
b45e85aac6db839af2825b2058ee8d5769138fad55fa802209a71733d33af5bc

SHA512
d2708044b0c5c44c5a93dfbcad1fa14f062121114d8f786ca2b45a278473a988a4d964d5e8882ab0c802d64e536259577c0e23d392e668ae1062fca21470103d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
468KB

MD5
ff72bc201e20601f837dd22c16d4d8ba

SHA1
c18b5e973a804e823dc67f2d3ad3f9eb3c47aa06

SHA256
921cfc99116e7ec5665cad0b22d21575669aae76ac3a66c82aed3838106c07d2

SHA512
ccf60f62264a8d3206e84afb008e7428516bc1700a56ffdffd256be02d9a4a13095d1b3286fcec15d030f452f603ac4f9ad69f4bfa55e0e4732cf4347076bbd8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
451KB

MD5
b13e70e180b95bd78cb78ecace7d5ba4

SHA1
f59dc480b5897aca465f68d1e11f5df5502c1126

SHA256
99652e180e45efc62ba015aa561b1bb79de81440fd8855aceb416948d2388a4d

SHA512
710828319891ad97ca1fb9a613de9bdc468098969f08dc3756998ee95bcc3aa48dd097fc0cea727a65f7fd7134682973ccc46d993f0b3009e95954e4e62ed6bd

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
445KB

MD5
b009cce78c27ea7127ff98cdfc22a3be

SHA1
a8caa60d6bafbf23482d08c54a09b4ddb1d47634

SHA256
5df2e7c85e1dbc4317ea50aae59dffa2a7e5a82dc1c51f17e188f932f786b143

SHA512
263b5cd928db4a2e132891817f11d797a1580baa35d887a8fadf7572cb1c6638d9e02a02046e3f99dad196efb82d45e091687ef913bb4de41980aab971c1a1dd

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
458KB

MD5
44bf56243a3cef51a43136ad3a1bc9b8

SHA1
e6d68a92b1997215be5a86f304456f334329de93

SHA256
f7517342679606671d791fe36a176f7443550a4043533f6673ba6d895d244b1f

SHA512
3a84566ee9ba79c403cd2899157e121e9ef311d1133cd78170ee1ece3424a9e616604cb773561c70f16f4e7a55e55afd7dec90b59eaf8c989b3d73a76b274e0f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
471KB

MD5
c07c1133cda8d07992a4eb911d6dbe63

SHA1
d07cf60682f6c4670aacc50b216fb06eb33df1b2

SHA256
ed8e0d011a01b997fbfb901a3379a53cf82bffd8c0b78c9963307962284e7794

SHA512
9293776702e32ed0568de5f7af5e4bfefdf42e83f707d0477fe118f3da72742039e5d04078608d30b5c90cc1661830bc58a5f47a0c81795ba0ca11bded2fb800

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
453KB

MD5
251797ca2643471ee5d635830a478097

SHA1
743bb7f36866e46db9acbf38f51c41b813f53bfd

SHA256
e29156210500a340bd31fec76e087aa4652ed564b21246f3aca4edfbad13c054

SHA512
6c5855eeef9345dad3bc9fb1f6ddc05ec963fc7338b530091e61dfc58749db252c09bf65cdc675a8716fc17614aea46dd4354db32883a036e114296d392aa5c7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
452KB

MD5
0cb88742a4f992e970ea652ca5a546c1

SHA1
565c2fd281ccc1d1c1cb373a466722d4a299fefe

SHA256
a6d5e62d340604088b8fd94561436bb035bd4dcd7bc0897ec08b1e2337b99407

SHA512
e22f17879acc969519817d27df01926fc22a91b7c8a39b275f0cfaf0a50a26c74746f204eeb22d89c8a5dd880783ec09b7dae9c0e8a8a76a5f0070f7bfc958e8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
469KB

MD5
b16f0c8bae819e7b9e061be2a7f9bbcc

SHA1
9a16d691f61b61e845c9eb0f85e1cfefa526ac8e

SHA256
5b86c935d765840434fd814853a318790244049d2207607ebab2fb21f44a9e2f

SHA512
84b6b725457ba8a42600f96798177720646128b8e19e6038ef1c97b37b5599035f0707d51f35be7d765e4aa6aad51048890447f75b8982cc4b4d0ee946f40d3f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
453KB

MD5
9ff12829da23cc1044223f6448fb06ac

SHA1
03affe7e8dddf31fbfd9163ada8536fb83f27670

SHA256
9da39bb976c05a936a8931fc60040a0b8439f8ece8855436dae129ff6d667dba

SHA512
6eb2e7cc54b0f6226b2b06e8f4ff785599947b9c97f470eba8e043e12566de6abbdce9eb320343593379d47b9e4ce82d02fcbf28345cad3000d637bfc61bcaf8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
454KB

MD5
4fb85a049f319e2425d51b3124445457

SHA1
3a52eb7518358428d69fb903eb4d55805e62ba9d

SHA256
ee4601dfa949742b592ec85c42e7e56f914bdf7ad3cf491d0c6eb49008966a07

SHA512
2d73954bf31b5406a8366f953b9f975881582a6550023ffae57f27f719da3941d02b5360621c931cfbc538eb20668c8eb61afd08500fa5cb8a90b223e6337d4f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
456KB

MD5
79ad18307ede1f7784d5d8ace3b8b5ae

SHA1
80a5e174183a6394158f901cb31b8845a01174b2

SHA256
9dd1efed5775e84ce7bc853322c49e5fef766d8ce3b974c3b61cdb689938dc94

SHA512
bdb4eff2ff1619aae3d1e79d64ff5fd17b72f86029e42b7c7322628925ddf84ba75a49c2c33a08e13f0567c7abceddba618539f647032ff5f23906c19d0c9783

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
441KB

MD5
6c43f142f5f2d638a8e2d94c186f9905

SHA1
ee22294bd1205eab2f1d58a8f05943e7e6397e75

SHA256
8d015bc3f2767d45aad49590a647fbcd65fd27d87ed3c99f2c5e349fad1224b5

SHA512
bb674998b895dbf2b64272102ee6d6db0b3a70f4b17f21f93f1e390a4d281220b3362badd685bcc2969242a8fee442c01f40fda6efdb9ec1bb952d7f10a44768

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
463KB

MD5
39adab6f8f4e79aebe5da6ef22a97f45

SHA1
e9d20c40efcaddaf6e41d8be1191fd7d53b6db27

SHA256
e21aded2d138df13f341a3413c6fa922a7d3eec1a4ed2138cc84515e27a305d7

SHA512
369fa2d682375bead8ebfdcd3c54a94c3d97a7b2243b8ffb5ad62af8284bc8a40c7a8109650074c6c86dc4dfa421d02242f5c112ccb1bfee839db78248eb11aa

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
441KB

MD5
49a230dc464aba2bbf060fcf115f6e00

SHA1
e728090c3fdec1073bbc442e616a1b024bb69611

SHA256
51aac54d5b62dd75b38b2c52e516149f284db0c55567dc7e2a8eb01ed0916e0e

SHA512
8fccb396e6b300113de06b2d4e2a470f760bf47e0e6c78eed2ac444ef9929d740393565208375d17a12dd891119f6909de27191c9c4fc91a8f46f198091b61b8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
461KB

MD5
e52d71eba00f907cb326051a8bd685b7

SHA1
d86f251f5d5a47191c6df00f311cf6e88a5a5da6

SHA256
e6010c7e915ec7c470108a261acf6360b44b42440e3a9a9e6a6afbc36baafd2b

SHA512
7bfcd4a65621764fccbc0cc1f05624f5929deb99ad064c2009f6212ac27afc1e79be3833341e17b3f64360d5b81e978e8f455247e935a1df92ea18c5b6704f95

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
449KB

MD5
955c7965ad9cc34c7a934dbeffdca5ec

SHA1
645144cc440877865b89cf602bbaf4400c856e67

SHA256
ad38e76d14b7e4590ddba5dc2fed88f0a9024604a9c9af16d8e8a4b4660d08c5

SHA512
f20a12fb1df87b39e12e70214656b2436923980536d88189bbc7694a9da3935a870bd23ebd9d3bb933e69374efd7b8fcaae8833fa34e193e397e1c6dba75b8e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
465KB

MD5
825134e791d946fcc5b2b22dd8141a75

SHA1
c4245ffdb1c46dd601dbc6e92e6580c9bfdc5c88

SHA256
4f6311a88d4203783b9a2ecc8e25f162b783c361ea95f37b270fa2867c025430

SHA512
0cb346524d1cfe6428c1d991d1c823de706372fe2d72c44410a44cf112877dc7e8ea296cf05df6e5c0fc94a910ae58ed73a945bc10b396ab29e6644c6aaf6cc6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
462KB

MD5
a4560dc794b3932dd3dda016cfb6637d

SHA1
a978f03b68c40190b22b4928ccccb28e1ce4744a

SHA256
2c3b759da85949fb96a9caf3b062aa50640b993c3e1edb94ec280c4be11d5732

SHA512
f747668ef886a48c3894ae5e3a8b22e3ee3178b58841c94e53ab4578b37be644b55f4236de4aae2a23b870cff4a85bc27020ea9f24dc19f415b7b96855e4e7bf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
461KB

MD5
c6f7ac5b8f884c7aecfa077657d5bb29

SHA1
d3a41c73887a17737577a34dd2ce43fd9e82ddb0

SHA256
63750c3bfcd830e982923e44741f0e7621f0e1a2e6359dd71e4d11068d00d3f1

SHA512
27eeb116108998cb7ef98a84d2c034ccc46600b9b34f8a2e7cef530715de6837520bd3530ca22f40b71006685d9b2f83f6f480ffd72675ffea1c5be20380ef20

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
469KB

MD5
34ed0e5dd14fe7517440c5252c534521

SHA1
153daf7fb49da8034edae19dabdc6ea1d7620749

SHA256
46cb45dcf6ba26db785375d299b1628275a51a91ded7e9b75c9aaaabb8979caf

SHA512
9705ce0cf2563043bfbbe5190b72acfdc36654b827035c0918862f73de5cb6e0b0bb23857bd1d0cafcf57344737774e0c1ceb265cd4d7e5cccf32d8524038e8f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
469KB

MD5
228f947764161131c558e8401b087943

SHA1
641c8eadbb140cc7fecfba979183eea2db9b47d0

SHA256
2ee27ae02bb37b9923273fbaad840cb4b2ca7754db92b0b0b4d73e9457133f13

SHA512
937fbf78e999249766a64652956f2565519dd2f07582cc00f742ac6917424ec28c038b8148b919b240d5c30ae11bc82c816881d9768ef2d61bca67e9501a011a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
442KB

MD5
bce10ea8c07816e9639abaff5df90336

SHA1
7ecb38f6bd5912c336ea59b03e5866a80f73eccb

SHA256
98a70ef039e375689016ad0e3d7bc71c1ca34dc6eb45577efc25d0aef85b7f76

SHA512
27cc9ccff1b4332bad013311882cd2522043231a005272697d089fa2ee023a011c8c67be8369628384c83c5760af5d22b85739f39d865dec625da70f08b7b06e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
445KB

MD5
91636d925ea45ea015e4f24ec4e7998e

SHA1
de2a41938199b41b9e58705f979c233cc2826592

SHA256
eb2bc3fd5944d849e6dded1d23944056e20f9c9b86f59ff5308fbc9afaa74b5f

SHA512
81f62ce13204d637e738112dbec4933ef002fc4b1282af12937e9e227600c1e3696fd58336f833d1442d8a7773e89c9f6c18daf3f94f1803ea919d17cc4432de

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
469KB

MD5
7ca601323b6aa373d1e27f2ceb5ad1aa

SHA1
3eaf131fa7a4fd115dd114dd1771d561c9a1f760

SHA256
1650165dc15bc038f057ca7dcba1c7d2b4b9055204e258c18eb24bf85c00213f

SHA512
7679d7329a7b2e666b238abd8a9ea3eecb5d323d25a199e0ec5efecaa453c048600931eead1639ea330c757543f2581b4da6d19dd8bf0dff0488621986ba01bc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
461KB

MD5
a964a07523282b70dbe58d6b4371bd47

SHA1
d20028088d882afa2fd091134694a240bbf0830d

SHA256
404652fc9fcc5904060390d9dee7ea72ee74681dc4c9a5f1fb4514d3f188ff22

SHA512
57e523d65eb2777c4e31a0ac6c669ea56c8a93a64cf8085493efb4b111feb3dc237e55ff7f9a3856a165627a9222d579407413a9bce87539614cdd30812275ab

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
464KB

MD5
e5e12810e6bb309a07289c50717fabc3

SHA1
eac79b6ae393f403117a695d7a280828def28dfa

SHA256
974086738ac43c86fe2773f29c21f497ff620205537f7563ff004e28891730bc

SHA512
17accf92447ec01e2a7310ea6c593c7f362386d838e4c0bb3c01f0ee960f5c44161575d5999164bd8a0724aad56bbefd7a0ff99fa7835d24b64202b71a875bfb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
444KB

MD5
6bcbe6a31a5fb1df3cb41b50b89572a6

SHA1
3565a8eff3d96f6bd49386d5f7767ee49a4aae9e

SHA256
e0da041505696de6a11d9b22cc3075fc5a755bf7f8894b575f49eca7104ea091

SHA512
291a79023eb3c4a83be9715ff3ca711be4fa54c27f46cc29cab7f983b08f26c04bf65fb641bba56e8ff1f0490279e24b00b9c674b8384c597a2b11f8a8b52fe5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
451KB

MD5
70ad2b2c2b680f646228eedc8e24f229

SHA1
2703efa69c6265aae9bdb8ca0e292ae01d849c0a

SHA256
e926ca35bce3ed43c24514a649024b3fd665352dc5550292826ac29385b8b39f

SHA512
3ec47e4223797f510943e09b8d725815f6fc9f54fcbb6a91e5eb9fe7250773ad805dccc3ff24f7b1a3e0cd0bb6be4d717bccc7323087f9ac60e79b82cbed6c3d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
440KB

MD5
1faf4eed4ce69858df328ff46f9b7774

SHA1
7c067071408518c073c47c488df19a713d55232b

SHA256
8ccb44c7ae3b7bb22942c38bf1f2c5f1450f31dda2ead54ba8bd39c8934ac371

SHA512
d469942249c5156d24dddd1ea07fca2a3fcf2cafb851b3cc81c39b9bdecc1538910e9002dd9d39d1c4fb3fe03e354d26ce82bacc6e7ffae059b1b198e39456f1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
464KB

MD5
6e84c1554f4bf31cd47f0a16f21a4d6c

SHA1
b624b03f6651f944b074f49b76b9a8b8f17e0062

SHA256
45a233ce4139a16d430b6fb2d15d5262bc043913f678113c9d575b9ae5ccc277

SHA512
553a2743a800e8b5c5644e66f2a7aabd7d57373c90402d41066400fecd0a8234ab6e9b519f10658493b7e3c69d51aedd1c84149c2160179abfbe2d17a1e25380

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
440KB

MD5
2c85feb2178c87cf78890bf65e2ee374

SHA1
4123d88b8d87ad3464d40457301597443b41ce52

SHA256
3ea1af3c5020b73c1743ca84be4bd78b424e70fa1c42461b6e6e25df10b42632

SHA512
599de99852924f8966f3be910c3c93e465d2186eb534b8139d11ea5165663f1f4ce9b44e4daaf5b0957a094bd919fb0f4029dc7888cd49a9d6b32a3cd49de497

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
467KB

MD5
bd61a4b37419fa9ec5f7635d70522c55

SHA1
8ef09bf15846fd05d446c185673cf5cb976da130

SHA256
fbdc8be77c69a7ca5616081d2ab6d433b91d64f88de4ea6577b67bd59ee6d53a

SHA512
c5800dfbebcdfd0428d96524d82a5a3ebe1211601f6aaf41eaf84288bc0db0e8a8d17a361fd5abb6013e9b287cbee7a5037efe796eb46ba9cd20626aca66293f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
451KB

MD5
39c0fd50edd86df44e4727c6370e6d74

SHA1
898e80fb099614e29f14b003afda49d151d2ea55

SHA256
92ed4deda6d7ef4ffe28622eb0582a6e96955e2494e0344a0a0de196f082d4a9

SHA512
8976d08df101ae300a564309c429e73b878b75e1b1bce8659e3f730e37a6fa698cc804ea6d3334f8047df5b6c6d315503045ddd603b39c2d5fd4dd92127721f0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
453KB

MD5
7d7db2484f3da20b2b192ddffc582d84

SHA1
61624a0fefaa4033d77099fdf4615ed1ce1cada3

SHA256
86c6eb5a500659ab67fa5fe9331ebab4de2cd868989c88c858a0323947236dd9

SHA512
dd0d89fa95b25380c1a64807487b9594dc35c984cde3580e8f736d7d795ccd5d28a1ec40c4e09fbe84dfbf6af0405748dc03dcd4cc93ba9feabc7b881af9a3e7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
454KB

MD5
90ddbec004bee84444c94be13d815b3f

SHA1
d0249d4f38e8a2e97ffd2de86bfbce3319c9098b

SHA256
33227df8302c2fb57b94c31fb3afc9cf4cefeeaa9425109feda8018e6e70572d

SHA512
78e170603b5af8df469c8188e4692c423f4b58a9e95b3b4b389f03a64b230edd99b2c66ee99b25de62d73be28f555948e2afe431d1b47367fea70658d2468ade

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
451KB

MD5
ef7bb0af694c6a3398de06d584ff515e

SHA1
e5ecab39e602ba1713305089b0aab5f8477aae33

SHA256
cc699685e04a31a6da2225eeceb43e09d7361e72dcfa74cffa1420d7f917c1ec

SHA512
129ae2ff9e0252775b9c65ea9ad54fafd63b140be3141c1a5ed0653005c4093a742866a737e92a4b9f95e4ff9c40e0237700d349d5521cbe1f4d5a9c1d7bfca9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
440KB

MD5
698a47caaeac9eca6a3310b6213cc8e4

SHA1
6a33b47851f98fceba8b3f84e32a831c1a9df849

SHA256
439e589bc883fc7a88343c44b370e64fbd1d20aa444b5511e0fe6df74d119935

SHA512
b72f64960a5e35adfd5ab10506b13a1eaa1cbfac15fce6b96d961c65d428a44e15e8066e01681cd55a94c9cafaa864f60f66a48b87eaa5eac3494e7ea70f0106

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
464KB

MD5
3e80bdea99fa53f6dcda66133f7481b5

SHA1
15425affc8895370810eb54dfaa528523795035e

SHA256
2c76a269dd5fae99ef0ddbf3930483ecfde91d9ac94c435f28f884798a9eae74

SHA512
f0037a4606b9027026e25359ba3deaceb4801d83e2d8c99561941d9de1d2d2f21a9222a497109e4cf2c02630743a63818ee24775bd9868d74c7189c985188e28

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
440KB

MD5
01f5da9f5d7b5b6dc32985f2fea82b06

SHA1
04a1722aae839390fab5651b9eeedab6d36bdf72

SHA256
f52480fe4eaa0ba02813056fa56f248d4ffe950e91ae0370a7054e6c55176912

SHA512
5eace8192ef85423f3e5d6f964a42616e19001d83ff904179068060d4a33997c560be2ce5b0ee81d6d80f6973f795139d2d48b0de98aa2af162a072d974256fe

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
451KB

MD5
d7a2ef48893c4209b53b735b3cc8ad03

SHA1
8ad475a2922fb40cc87cc87b7ec2ebcdf827b462

SHA256
481bc728538696ddf85129d002fa622597e2fed759d944af1cb516b56a3939f5

SHA512
88fc19e7cfda516bab14a4ef0fe9cc5e7e7e83a527f78b6ba0b5b208e65499a591b91584d92f5518ab2abeedfa50b3674c86279c0d261f3afbff2e00f5adbe44

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
451KB

MD5
7b917e3356c0066b89a6850d882da5cb

SHA1
ba1966567004263ce3ae907c8c885c1050e17a83

SHA256
309287935a851652c88bc43c9dce6dc1d7e24e786849fc325e6511a035bcd55b

SHA512
d44f9eff339c56c865233de06060db9c11dddd18e533cbe327791977fb1cac51a54f3a2e7dc31b3ebcc8cd503a4535c51afac36a2764159d90c2be7e0f6d5c06

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/60-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/60-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1496-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download